Labels

Thursday, 14 March 2019

Amazon Guard​Duty

Amazon GuardDuty is a threat detection service which continuously monitors for malicious or unauthorized behavior to help customer protect their AWS accounts and workloads. GuardDuty monitors for activities such as unusual API calls or potentially unauthorized deployments that indicates a possible account compromise. It also notices potentially compromised instances or reconnaissance by attackers.

Amazon GuardDuty does not require an IT team to deploy, manage and scale additional security software. Instead, an administrator or security analyst enables GuardDuty via the AWS Management Console, and the service immediately begins to analyze cloud environment. However, some of the more advanced threat detection capabilities require one or two week to establish normal baselines for comparison.

Enable it with a few clicks in the AWS Management Console, Amazon GuardDuty can immediately start analyzing billions of events across AWS accounts for signs of risk. It recognizes suspected attackers through integrated threat intelligence feeds and uses machine learning to find anomalies in account and workload activity. Whenever a potential threat is detected, the service delivers a detailed security alert to the GuardDuty console and AWS CloudWatch Events. This flow makes alerts actionable and easy to integrate into existing event management and workflow systems.

The service utilizes built-in threat intelligence, anomaly detection and machine learning potentials developed by the AWS security team to do analysis in near real time.

While an admin can supply GuardDuty with his or her own list of "safe" IP addresses, the service does not otherwise support customized detection rules. An admin can, however, respond to each GuardDuty finding with thumbs-up or thumbs-down responses to provide feedback for future detections.

Amazon GuardDuty compiles and delivers security findings in a JSON format to the Management Console, which enables an admin or automated workflow to take action accordingly. For example, Amazon CloudWatch Events can accept findings from GuardDuty, then trigger an AWS Lambda function to modify security configurations. The GuardDuty console and APIs retain security findings for 90 days.

GuardDuty Management and Costs
:

Amazon GuardDuty works independently from cloud resources, which means it has no performance impact on running systems. Additionally, GuardDuty uses service-linked roles through AWS Identity and Access Management, which means an admin doesn't have to manage or modify S3 bucket policies or log collection.

Amazon GuardDuty is cost effective and easy. It does not require customer to deploy and maintain software or security infrastructure. There are no upfront costs with GuardDuty, no software requires to be deploy, and no threat intelligence feeds required.

An AWS customer pays for GuardDuty based on the quantity of AWS CloudTrail Events and volume of VPC Flow Logs and DNS logs the service analyzes. AWS provides a 30-day free trial for GuardDuty.

Amazon Macie, another machine learning-enabled security service, differs from GuardDuty in that it focuses on data classification and protection.